b'                                      SOCIAL SECURITY\nMEMORANDUM\n\nDate:      April 17, 2008                                               Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   On-site Security Control and Audit Reviews at Program Service Centers\n           (A-03-07-17064)\n\n\n           The attached final report presents the results of our audit. Our objectives were to\n           assess (1) the Social Security Administration\xe2\x80\x99s (SSA) procedures for selecting Program\n           Service Center components for On-site Security Control and Audit Reviews (OSCAR),\n           (2) SSA\xe2\x80\x99s system for ensuring appropriate correction of deficiencies identified through\n           OSCARs, and (3) additional steps SSA can take to enhance the OSCAR guide.\n\n           Please provide within 60 days a corrective action plan that addresses each\n           recommendation. If you wish to discuss the final report, please call me or have your\n           staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n           (410) 965-9700.\n\n\n\n\n                                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n           Attachment\n\x0c           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n  ON-SITE SECURITY CONTROL\n      AND AUDIT REVIEWS\n  AT PROGRAM SERVICE CENTERS\n\n  April 2008      A-03-07-17064\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                                Executive Summary\nOBJECTIVE\nOur objectives were to assess (1) the Social Security Administration\xe2\x80\x99s (SSA) procedures\nfor selecting Program Service Center (PSC) components for On-site Security Control\nand Audit Reviews (OSCAR), (2) SSA\xe2\x80\x99s system for ensuring appropriate correction of\ndeficiencies identified through OSCARs, and (3) additional steps SSA can take to\nenhance the OSCAR guide.\n\nBACKGROUND\nSSA must comply with the Federal requirements associated with management controls\nand provide assurances that its financial, programmatic, and administrative processes\nare functioning as intended. SSA designed the Management Control Review (MCR)\nprogram to satisfy the Federal requirements. The MCR program is implemented within\nthe PSCs using the Program Service Center OSCAR Guide, which standardizes\nAgency-wide review techniques and reporting criteria for various management control\nareas.\n\nSSA has eight PSCs, six of which are located in the regions, and two are located in the\nAgency\xe2\x80\x99s Headquarters in Baltimore, Maryland. The Centers for Security and Integrity\n(CSI) are responsible for conducting OSCARs at the PSCs, while the Division of\nFinancial Integrity (DFI) is responsible for ensuring compliance of the MCR program.\nUnder the PSC OSCAR guide, the components within the PSCs are required to be\nreviewed at least once within a 5-year period. The reviews cover a number of\nprogrammatic and administrative functions, including: (1) security of automated\nsystems, (2) physical and protective security, (3) time and attendance, (4) enumeration,\nand (5) third-party draft account.\n\nRESULTS OF REVIEW\nWe found that two of the eight PSCs were not on track with meeting the PSC OSCAR\nrequirement that each PSC component be reviewed at least once every 5 years. The\ntwo PSCs located in SSA Headquarters had not been reviewed under the PSC OSCAR\nprocess at the time of our review, even though it conducted the same type of work as\nthe non-Headquarters PSCs. Currently, SSA is developing an OSCAR guide for these\ntwo PSCs and plans to conduct reviews in FY 2008. Moreover, we found that SSA did\nnot have a consistent policy to determine which PSC components should be included in\nthe OSCAR process. As a result, some PSC OSCARs were more comprehensive than\nothers.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                  i\n\x0cGenerally, we found the issuance of the OSCAR reports and implementation of the\nrecommendations to be timely, but monitoring and following up on actions related to\nOSCAR reports could be improved. Finally, current PSC OSCAR guidance did not\ninclude sufficient steps to ensure that sensitive information contained in SSA\xe2\x80\x99s\nautomated systems was properly protected.\n\nCONCLUSION AND RECOMMENDATIONS\nWhile SSA is making progress to ensure that all PSCs meet the 5-year OSCAR\nrequirement, the Agency needs to ensure that the CSI components have a consistent\nmethod for identifying components subject to review and then maintain a management\ntracking system to assess their overall progress. Finally, SSA needs to ensure the PSC\nOSCAR guide addresses known areas of risk, such as the need to safeguard laptop\ncomputers and/or the personally identifiable information contained therein.\n\nTo improve the OSCAR process and increase its effectiveness, we recommend SSA:\n\n\xe2\x80\xa2   Develop a consistent national policy on which PSC components are included in the\n    OSCAR process and ensure any changes from this policy are approved by DFI\n    management.\n\n\xe2\x80\xa2   Review all PSC components at least once during a 5-year cycle.\n\n\xe2\x80\xa2   Establish a minimum number or percent of PSC component reviews that must be\n    conducted annually within each region, similar to the 10-percent rule used by other\n    SSA offices conducting OSCARs.\n\n\xe2\x80\xa2   Ensure the Office of Disability Operations and the Office of International Operations\n    PSCs are reviewed timely under the PSC OSCAR process.\n\n\xe2\x80\xa2   Require that the CSI offices obtain and maintain validation reports in a timely\n    manner.\n\n\xe2\x80\xa2   Develop the Automated OSCAR for the PSCs so that CSIs can (a) automatically\n    track and monitor the OSCAR reports, corrective actions, and validation reports and\n    (b) accurately report to DFI the number of reviews conducted.\n\n\xe2\x80\xa2   Update the OSCAR guide, as needed, to include the protection of sensitive data,\n    especially to safeguard laptop computers and/or the personally identifiable\n    information contained within the laptop computers taken outside of the PSCs.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                    ii\n\x0c                                                                      Table of Contents\n                                                                                                                Page\n\nINTRODUCTION ..................................................................................................... 1\n\nRESULTS OF REVIEW .......................................................................................... 3\n\nOSCAR Coverage and Selection ............................................................................ 3\n\n    \xe2\x80\xa2    Required Coverage ...................................................................................... 3\n\n    \xe2\x80\xa2    Selection of Components for Review............................................................ 5\n\nCorrections of Deficiencies...................................................................................... 7\n\n    \xe2\x80\xa2    Timeliness of Issuing and Responding to OSCAR Reports .......................... 7\n\n    \xe2\x80\xa2    Follow-up Reports ........................................................................................ 8\n\n    \xe2\x80\xa2    Monitoring System ........................................................................................ 8\n\n    \xe2\x80\xa2    Protection of Sensitive Data ....................................................................... 10\n\nCONCLUSIONS AND RECOMMENDATIONS ..................................................... 11\n\nAPPENDICES\n\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Functions and Description of the Program Service\n             Centers\n\nAPPENDIX D \xe2\x80\x93 Comparison of Program Service Center Components\n             Reviewed Under On-Site Security Control and Audit\n             Reviews\n\nAPPENDIX E \xe2\x80\x93 Recommendations Not Implemented\n\nAPPENDIX F \xe2\x80\x93 Agency Comments\n\nAPPENDIX G \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                                                                             Introduction\nOBJECTIVE\nOur objectives were to assess (1) the Social Security Administration\xe2\x80\x99s (SSA) procedures\nfor selecting Program Service Center (PSC) components for On-site Security Control\nand Audit Reviews (OSCAR), (2) SSA\xe2\x80\x99s system for ensuring appropriate correction of\ndeficiencies identified through OSCARs, and (3) additional steps SSA can take to\nenhance the OSCAR guide.\n\nBACKGROUND\n\nSSA must comply with the Federal requirements associated with management controls\nand provide assurances that its financial, programmatic, and administrative processes\nare functioning as intended. These requirements include the Federal Managers\'\nFinancial Integrity Act (FMFIA). 1 SSA designed the Management Control Review\n(MCR) program to satisfy the Federal requirements. The Division of Financial Integrity\n(DFI) develops and executes the MCR program in the PSCs to comply with the FMFIA.\n\nSSA has eight PSCs, six of which are located within the regions, and two are located at\nthe Agency Headquarters in Baltimore, Maryland (see Table 1). The MCR program is\nimplemented in the PSCs using the Program Service Center Onsite Security, Control\nand Audit Review (OSCAR) Guide, which standardizes Agency-wide review techniques\nand reporting criteria for various management control areas, including: (1) security of\nautomated systems, (2) physical and protective security, (3) time and attendance,\n(4) enumeration, and (5) third-party draft account. 2 While the Centers for Security and\nIntegrity (CSI) are responsible for conducting the reviews at the PSCs, 3 SSA may hire a\ncontractor to perform the PSC reviews as well.\n\n\n\n\n1\n    Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982, Pub. L. No. 97-255.\n2\n See Appendix B for a complete listing of the management control areas that are reviewed under the\nOSCAR process.\n3\n The CSIs may refer to the OSCAR reviews by different names, such as Comprehensive Component\nReviews, Management Control Reviews, and External Security Reviews.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                            1\n\x0c                                      Table 1: PSCs at SSA\n                               PSC                                     Location\n      Northeastern Program Service Center (NEPSC)             Jamaica, New York\n      Mid-Atlantic Program Service Center (MATPSC)            Philadelphia, Pennsylvania\n      Southeastern Program Service Center (SEPSC)             Birmingham, Alabama\n      Great Lakes Program Service Center (GLPSC)              Chicago, Illinois\n      Western Program Service Center (WNPSC)                  Richmond , California\n      Mid-America Program Service Center (MAMPSC)             Kansas City, Missouri\n      Office of Disability Operations (ODO)                   Baltimore, Maryland\n      Office of International Operations (OIO)                Baltimore, Maryland\n\nUnder the OSCAR guide, all components within the PSCs must be reviewed at least\nonce during a 5-year period. For example, a PSC may have 24 different components\nassociated with areas such as disability operations, claims taking, and personnel and\ntraining, and each of these components must be reviewed within the 5-year cycle. To\nevaluate the management control areas as part of the OSCAR process, CSI staff\nconducts interviews, observes operations, and verifies information. Once the on-site\nactivities are completed, the CSI staff meets with component management to discuss\nthe findings and recommendations. Table 2 below provides the OSCAR reporting and\ncorrective actions timeline for CSI staff and the components reviewed.\n\n            Table 2: Timing of OSCAR Reporting and Corrective Actions\n                                       Component          Component         Calendar Days\n                                       Responsible        Monitoring       for Action to be\n              Action                    for Action          Action           Completed\n Final OSCAR report to                                    Component\n component manager and DFI                 CSI             Manager              45 days\n Response with corrective               Component\n actions planned and/or taken            Manager           ARC-PCO              45 days\n Validation that corrective actions\n were taken by the component            ARC-PCOa               CSI              90 days\nNote a: Assistant Regional Commissioner-Processing Center Operations.\n\nIn addition to the OSCARs, the PSC components are subject to other reviews that\nassess management controls. For example, PSC managers conduct their own internal\nreviews using the PSC Component Manager\xe2\x80\x99s Self-Review Guide, which is patterned\nafter the OSCAR guide. The self-review is designed to familiarize the manager with the\nsecurity responsibilities that are part of his/her job and be used as a tool to assess the\nsecurity posture of the manager\xe2\x80\x99s module. The CSI staffs also occasionally conduct\ntargeted reviews within the PSC components in areas such as time and attendance to\nmonitor compliance with policies and procedures.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                         2\n\x0c                                                      Results of Review\nWe found that two of the eight PSCs were not on track with meeting the OSCAR\nrequirement that each PSC component be reviewed at least once every 5 years. SSA\nis now developing an OSCAR guide for the two Headquarters-based PSCs that have\nnever undergone a review. In addition, we found that the CSIs did not have a clear,\nconsistent policy to determine which PSC components should be included in the\nOSCAR process. As a result, the CSIs define the PSC components subject to an\nOSCAR differently. Moreover, our review found that, generally, the CSIs issued timely\nPSC OSCAR reports, and the audited components had taken appropriate actions on the\nrecommendations.\n\nHowever, we found that monitoring and following up on actions related to the OSCAR\nreports could be improved. Lastly, current PSC OSCAR procedures did not include\nsufficient steps to ensure that personally identifiable information (PII) contained in SSA\xe2\x80\x99s\nautomated systems was protected. Such procedures need to be updated to provide for\nadequate review of handling PII contained in SSA\xe2\x80\x99s automated systems.\n\nOSCAR COVERAGE AND SELECTION\nOur review found that two of the eight PSCs were not on track with meeting the OSCAR\nrequirement that each PSC component be reviewed at least once every 5 years. In\naddition, we found the Agency did not have a consistent policy to determine which PSC\ncomponents should be included in the OSCAR process.\n\nREQUIRED COVERAGE\n\nIn our review of the eight PSCs subject to an OSCAR during Fiscal Years (FY) 2004 to\n2008, we found that six of the eight PSCs were scheduling reviews in such a way that\nthey would be able to review each component at least once every 5 years. The two\nprocess centers recently identified as PSCs in Baltimore, Maryland, were not in\ncompliance with the requirement.\n\nNon-Headquarters PSCs\n\nSSA management noted that, before FY 2004, there was no minimum requirement for\nthe frequency of reviews or the number of components to be reviewed at the PSCs. 4 To\ndetermine whether the non-Headquarters PSCs were on track to meet the 5-year\nrequirement since the FY 2004 policy was put into place, we obtained information on\nthe PSC OSCARs issued and planned for FYs 2004 through 2008.\n\n\n\n\n4\n SSA management also noted that before FY 2005, CSI staff used the PSC OSCAR guide as an outline\nwhen performing the reviews because it was an outdated document. Since May 2005, the PSC OSCAR\nguide has undergone monthly revisions to reflect the current operating environment in the PSCs.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                       3\n\x0cWe found that the non-Headquarters PSCs had reviewed or planned to review all of\ntheir components by FY 2008, as shown in Table 3.\n\n                       Table 3: Planned and Issued OSCARs Per PSC\n                                   FYs 2004 through 2008\n                  (Related to 159 PSC Components in the 6 Non-Headquarters PSCs)\n                         PSC Components                       Total       Total            Percent\n     PSC        2004    2005   2006    2007\n                                              a\n                                                  2008\n                                                         a\n                                                             Reviews   Componentsb        Reviewedc\nNEPSC             3       3      0       8          12         26            26              100%\n                                                                               d\nMATPSC            4       5      4       5           6         24            18              133%\nSEPSC             9       6      5       5           5         30            29              103%\nGLPSC             6       2      7       8           7         30            29              103%\nWNPSC             0       8      4       6           7         25            25              100%\nMAMPSC            6       6      8       6           6         32            32              100%\n     Total     28       30      28      38      43         167             159             105%\n    Note a: Already issued or planned.\n    Note b: Total components represent the components that were reviewed or scheduled to be reviewed\n            under the OSCAR process. However, these do not represent all components that were\n            subject to an OSCAR review (see page 6).\n    Note c: Some components were reviewed or scheduled to be reviewed more than once during the\n            5-year period.\n    Note d: The MATPSC currently reviews 16 components because 2 modules disbanded in April 2006.\n\nThe Northeastern PSC did not review components in FY 2006. CSI staff at the\nNortheastern PSC stated they postponed the FY 2006 OSCARs because of a regional\nmandate that required all component managers to perform a self-review OSCAR in\nFY 2006. 5 The CSI staff acknowledged that these self-reviews do not replace the PSC\nOSCAR 5-year requirement. However, at the time, they considered it counterproductive\nfor every PSC component to conduct both self-reviews and CSI OSCARs at the same\ntime. The CSI staff stated they were closely involved in supporting the manager self-\nreviews.\n\nThe OSCAR guides for other SSA components require a minimum number of OSCARs\nto be conducted each year so that the reviews are performed consistently throughout\nthe 5-year period. For instance, the Office of Disability Adjudication and Review\nOSCAR guide 6 requires that offices annually review 20 percent of the field and\nHeadquarters offices/components under their jurisdiction or use the 10 percent of the\ntargeted review process each year and complete all offices/components within 5 years.\nSSA could develop similar guidance for the PSCs that establishes a minimum\nrequirement for the number of PSC components to be reviewed annually in conjunction\nwith the requirement to review all PSC components at least once during a 5-year cycle.\nIn the case of the Northeastern PSC, such a policy would have led to five OSCARs per\nyear. Such a policy would also ensure that PSCs undergo periodic reviews and\ndeficiencies are detected earlier rather than later.\n\n\n\n5\n    We found that 21 of the 26 components had a self-review OSCAR during FY 2006.\n6\n The Office of Disability Adjudication and Review Onsite Security Control and Audit Review Guide\n(April 2006).\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                             4\n\x0cHeadquarters PSCs\n\nThe two Headquarters PSCs, ODO and OIO, 7 had not been reviewed under the PSC\nOSCAR process at the time of our review, even though the two PSCs conducted the\nsame type of work as the non-Headquarters PSCs. 8 CSI staff in the Office of Central\nOperations (OCO) stated that the PSCs were not reviewed using the PSC OSCAR\nguide because most of the questions and steps were not applicable to the PSCs. In our\nreview of the OSCAR guide, we found that, while some of the chapters may not have\nbeen applicable to all the Headquarters PSCs, other chapters were relevant to their\noperations such as (1) time and attendance, (2) security of automated systems, and (3)\nphysical and protective security.\n\nCSI staff noted that self-reviews and other types of reviews had been performed at the\nODO and OIO locations over the years. For example, CSI staff conducted reviews that\ncovered items that are also contained in the OSCAR (that is, time and attendance,\nSingle Payment System [SPS], 9 and programmatic reviews). CSI staff has also\nconducted reviews of the enumeration process at OIO. Moreover, both PSCs were also\nsubject to operations reviews that included security and mailroom reviews.\n\nCSI staff informed us that they were developing an OSCAR guide for the ODO and OIO\nPSCs and planned to implement it in FY 2008. We believe this change in operations\nwill formalize the review process at the two PSCs, increase monitoring of reviews and\nrecommendations, 10 and ensure the two PSCs are subject to the same requirements as\nnon-Headquarters PSCs.\n\nSELECTION OF COMPONENTS FOR REVIEW\n\nThe CSIs did not have a clear, consistent policy to determine which PSC components\nshould be included in the OSCAR process. While the PSC OSCAR requires that all\nPSC components be reviewed at least once during a 5-year cycle, we found that the\nCSIs had defined the PSC components subject to an OSCAR review differently.\n\nAlthough the six non-Headquarters PSCs had approximately 185 components\nnationally, 11 the CSIs only reviewed or were scheduled to review 159 of these\ncomponents under the OSCAR process (see Table 4). Hence, 26 (14 percent)\ncomponents within 5 PSCs did not receive or were not scheduled to receive an OSCAR\nreview. For each PSC, the CSI determined which components should be reviewed\n\n7\n    See Appendix C for information on the role of ODO and OIO.\n8\n    SSA Program Operations Manual System OS 01201.001 \xee\xa0\xbaFunctions of the Program Service Centers.\n9\n The SPS is a national system used to automate appointed representative fee payments and other Title II\npayments that cannot be made through the current Title II system.\n10\n     We discuss this in the next section of the report.\n11\n  We reviewed the organizational charts and/or telephone directories for each of the six PSCs and\nconfirmed our understanding of the PSC organizational structure with PSC management.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                              5\n\x0cusing the PSC OSCAR guide. Several CSI staff stated they did not conduct PSC\nOSCARs on certain PSC components such as the Operations Support Branch and the\nComputer Operations Section because many of the PSC OSCAR chapters were not\napplicable.\n\n                   Table 4: PSC Components Not Reviewed Under OSCAR\n                                  FYs 2002 through 2006\n                   (Related to 185 PSC Components in the 6 Non-Headquarters PSCs)\n                                                                              Percentage of\n                       Total Number      Components       Components Not     Components Not\n                             of         Reviewed Using    Reviewed Using    Reviewed Using the\n          PSC          Components      the PSC OSCAR        the OSCAR            OSCAR\n     MATPSC                   31                  18           13                 42%\n     MAMPSC                   41                  32            9                 22%\n     NEPSC                    28                  26            2                  7%\n     WNPSC                    26                  25            1                  4%\n     GLPSC                    30                  29            1                  3%\n     SEPSC                    29                  29            0                  0%\n         Total               185                 159           26                 14%\n\nAs an example, the CSI staff at the Mid-Atlantic PSC reviewed 18 components using\nthe PSC OSCAR guide to include 16 modules, the Intermediate Claims Taking Unit, and\nthe Inquiry and Expediting Unit. However, they excluded 13 (42 percent) of the\ncomponents in the PSC from the OSCAR review process such as\n\n\xe2\x80\xa2     the mailroom,\n\xe2\x80\xa2     the four Process Areas,\n\xe2\x80\xa2     the Disability Processing Branch,\n\xe2\x80\xa2     the Operations Support Branch,\n\xe2\x80\xa2     the Operations Analysis Section,\n\xe2\x80\xa2     the Computer Operations Section, and\n\xe2\x80\xa2     the Debt Management Section. 12\n\nCSI staff at the Mid-Atlantic PSC stated they conducted compensating reviews for PSC\ncomponents that were not reviewed under the OSCAR process, such as annual\nmailroom audits, third-party draft and acquisition audits, and remittance and accounting\nunit annual audits. In our discussion with CSI staff at the other regions, we were told\nthat they also conducted various internal control reviews of components not covered by\nan OSCAR.\n\nWe found the SEPSC was the only location where all of the components had been\nreviewed under the OSCAR guide. The CSI at the SEPSC reviewed all 29 of the PSC\ncomponents as well as 5 Management and Operations Support (MOS) components that\n\n\n\n12\n     See Appendix D for a full listing of components.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                       6\n\x0care housed within the PSC. 13 CSI staff stated that the purpose of including all of these\ncomponents within the OSCAR was to maintain a consistent security posture within the\nphysical location of the SEPSC. Furthermore, they explained that they used the PSC\nOSCAR chapters applicable to the component being reviewed. For example, the\nOSCAR of the Labor Management and Employee Relations component was conducted\nusing (1) time and attendance, (2) security of automated systems, and (3) physical\nsecurity chapters of the OSCAR guide. The final OSCAR report contained relevant\nfindings and recommendations related to time and attendance and the security of\nautomated systems. CSI staff also discussed various aspects of physical security with\nmanagement as part of their review.\n\nCORRECTION OF DEFICIENCIES\nGenerally, we found that the CSIs issued timely PCS OSCAR reports and the audited\ncomponents had taken appropriate actions on the recommendations. However,\nmonitoring and follow-up actions related to the OSCAR process needed to be improved.\n\nTIMELINESS OF ISSUING AND RESPONDING TO OSCAR REPORTS\n\nThe OSCAR guide requires the issuance of an OSCAR report within 45 calendar days\nfrom the completion of the OSCAR. We found that the OSCAR reports were issued\ntimely or close to on time, as shown in Table 5. The reports were issued on average\n13 to 51 calendar days. Moreover, the PSCs are required to provide to the CSIs a\nreport of corrective action planned and/or taken within 45 days of receipt of the OSCAR\nreport. Table 5 shows the PSCs issued the corrective action reports within the 45-day\nperiod or close to this period. These reports were issued within an average of 38 to\n57 days.\n\n                          Table 5: Timeliness of OSCAR Reports\n                                  (Issued in FYs 2005 and 2006)\n                             PSC Oscar Reports     Average Number            Average\n                             Issued in FYs 2005     of Days to Issue       Component\n               PSC                and 2006              Report            Response Time\n       NEPSC                          3                     32                  57\n       MATPSC                         9                     46                  41\n       SEPSC                         11                     13                  38\n       GLPSC                          9                     27                  40a\n       WNPSC                         12                     51                  39\n       MAMPSC                        14                     26                  39\n       a\n        Note: The 40-day average component response time for GLPSC was calculated based on\n       six reports instead of the nine reports that were issued. The CSI at GLPSC did not have\n       evidence that it had received a corrective action reponses for three reports.\n\n\n\n\n13\n   The SEPSC reviewed five MOS components as part of the OSCAR because these components are\nhoused within the PSC. The five components include the (1) Labor Management and Employee\nRelations; (2) Servicing Personnel Team; (3) Fiscal and Building Management Team; (4) Birmingham\nInformation Technology Team and (5) Training and Employee Development Team.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                          7\n\x0cFOLLOW-UP REPORTS\n\nWe were unable to determine the timeliness of the PSC OSCAR validation reports for\nFYs 2005 to 2006 for the six PSCs because of incomplete CSI documentation. Under\nthe OSCAR process, the ARC-PCOs are responsible for validating that corrective\nactions have been implemented by sending a validation report to the CSIs 90 days after\nreceipt of the component\xe2\x80\x99s response. We found that only the CSIs within Western and\nMid-America maintained validation documentation for both FYs 2005 and 2006. In\ngeneral, the CSIs relied on the ARC-PCO validation process to track and verify that the\nrecommended corrections were implemented. While the validation reports were being\ntracked by the ARC-PCO, it is the responsibility of the CSIs to track the validation\nreports sent to them to ensure the receipt and timeliness of the validation reports.\n\nWe visited the six PSC components to determine whether the recommendations had\nbeen implemented timely and whether appropriate actions were taken. At each PSC,\nwe reviewed the last OSCAR reports issued in FY 2006. 14 We found that the 6 PSCs\nhad implemented 90 (92 percent) of the 98 recommendations by the time we visited,\nwhich was at least 9 months after the reports were issued (see Table 6). There were\neight recommendations that were not implemented and they related to a number of\nareas, including (1) enumeration, (2) SPS, (3) management controls, and (4) time and\nattendance. 15\n\n                     Table 6: OSCAR Recommendations Not Implemented\n                         (FY 2006 OSCAR Reports for Components at Six PSCs)\n\n                                                              Recommendations\n                    CSI\n                 OSCAR           OIG\n                  Report       Review       Total                          Not           Percent\n   PSC             Date          Date      Number     Implemented      Implemented     Implemented\n SEPSC          09/01/2006    07/19/2007     24            24               0             100%\n MAMPSC         09/28/2006    07/01/2007     25            25               0             100%\n MATPSC         08/16/2006    06/26/2007     22            19               3              86%\n WNPSC          09/29/2006    07/26/2007      7             6               1              86%\n GLPSC          03/01/2006    07/19/2007     13            11               2              85%\n NEPSC          10/20/2006    07/31/2007      7             5               2              71%\n Total                                       98            90               8              92%\n\nMONITORING SYSTEMS\n\nWe found that four of the six CSIs had no central management tracking system for\nfollow-up on the OSCAR findings, corrections, or receipt of validation reports. While\nthe PSC OSCAR does not require that CSI maintain a tracking system, we believe not\n\n\n\n14\n     The NEPSC did not issue a report in FY 2006; therefore, we selected the first report issued in FY 2007.\n15\n     See Appendix E for more details about the recommendations that were not implemented.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                                  8\n\x0cdoing so increases the risk that OSCAR recommendations remain unresolved (as noted\nearlier), and managers do not have the information necessary to track the results of the\nOSCAR process.\n\nWe found that CSIs in the MATPSC and SEPSC had tracking systems in place to\nmonitor the entire OSCAR process. The CSI office at the SEPSC had the most\ncomprehensive system for tracking the OSCAR process. Within the tracking system,\nreviews were tracked by FY from the date the notification memorandum was sent to\nthe component manager through the verification of the corrective actions. The\ntracking system included\n\n\xe2\x80\xa2    a component checklist that tracked the component OSCARs by FY;\n\xe2\x80\xa2    the CSI\xe2\x80\x99s 5-year plan of PSC OSCARs; and\n\xe2\x80\xa2    a checklist that tracked the manager self-reviews by FY.\n\nAs for the four remaining PSCs, the CSI management did not track their reports through\nthe entire OSCAR process. Instead, they relied on the individual CSI staff to follow up\non the response to the reports through the OSCAR process using email reminders\nand/or the ARC-PCO validation process.\n\nFurthermore, we found that the lack of adequate management information was also\nevident at the national level. For instance, we found that the national DFI tracking\nreports 16 incorrectly documented the status of PSC OSCAR reports at five of the six\nPSCs during FYs 2002 through 2006. As shown in Table 7, the DFI tracking reports did\nnot document 14 OSCARs conducted in 4 PSCs for 4 of the 5 FYs reviewed. We also\nfound that the DFI tracking reports for FYs 2005 documented four reviews in the\nWestern and Great Lakes PSCs that were not conducted by the regions. Evidence\ncould not be provided by DFI or the CSIs to determine why the OSCAR reports were\nincorrectly documented on the DFI tracking reports.\n\n\n\n\n16\n   Every FY the DFI develops the Division of Financial Integrity Tracking Report, which is an internal\ntracking report. The information in the report is based on data requests sent to the regions and reporting\nrequirements in the PSC OSCAR guide. In the report, DFI monitors the number of reviews conducted to\nsupport the Agency\'s compliance with guidance, and for inclusion in the Agency\'s Annual Performance\nand Accountability Report (PAR). These reviews are discussed in the Systems and Controls section of\nthe PAR, and statistics about the OSCARs are presented.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                                 9\n\x0c                           Table 7: OSCAR Reviews Documented\n                           Incorrectly on the DFI Tracking Reports\n                                    FY       FY       FY        FY\n                       PSC         2002     2003     2005      2006     Total\n                    Reviewed But Not Documented in the DFI Tracking Report\n                  SEPSC              2        1                           3\n                  MATPSC             1        2        1         1        5\n                  GLPSC                                          1        1\n                  MAMPSC             5                                    5\n                      Total          8        3        1         2       14\n                    Documented in the DFI Tracking Report But Not Reviewed\n                  GLPSC                       1                           1\n                  WNPSC                                3                  3\n                      Total                   1        3                  4\n                  Grand Total        8        4        4         2       18\n\nAccording to SSA staff, the Agency goal is to develop an Automated OSCAR for the\nPSCs in the near future that will automatically monitor and track the OSCAR process.\nCurrently, SSA tracks and monitors the field office OSCARs using the Automated\nOSCAR, which allows CSI to enter the findings electronically and generate the required\nreports, corrective action plans, and validations, thereby eliminating the manual\nreporting requirements. Moreover, DFI has access to the Automated OSCAR for field\noffices, which eliminates the need for CSIs to manually report to DFI the number of field\noffice OSCARs conducted during the FY. We encourage SSA to expedite the\ndevelopment of the PSC Automated OSCAR, as we believe a centralized tracking\nsystem will help improve monitoring and follow-up actions for the PSC OSCARs as well\nas produce accurate management information reports.\n\nPROTECTION OF SENSITIVE DATA\nCurrent PSC OSCAR procedures do not include sufficient steps to ensure that PII\ncontained in SSA\xe2\x80\x99s automated systems is protected. Such procedures need to be\nupdated to provide for adequate review of handling PII contained in SSA\xe2\x80\x99s automated\nsystems. The PSC OSCAR guide\xe2\x80\x99s Chapter 5, Security of Automated Systems,\nincludes procedures for reviewing SSA\xe2\x80\x99s automated systems and associated data at\nPSCs. The OSCAR guide should further consider current work environments that allow\nsome PSC staff to work from home using an SSA-provided laptop. For example, the\nPSC OSCAR does not review procedures in place to ensure safeguarding laptop\ncomputers and/or the PII contained within the laptop computers taken outside of the\nPSCs. 17\n\n17\n   In June 2006, SSA released interim guidance on safeguarding this information as part of its Information\nSystems Security Handbook, which provides basic security guidance for SSA employees, contractors,\nand government or business partners who handle SSA information. The responsibility to protect PII\napplies at all times, regardless of whether SSA employees, contractors or other government personnel\nwith this information are officially on duty or not on duty. SSA is working on an additional information\nsecurity document geared to the individual users and managers outlining all the information security\nissues.\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                                10\n\x0c                                                    Conclusions and\n                                                   Recommendations\nWhile SSA is making progress to ensure that all PSCs meet the 5-year OSCAR review\nrequirement, the Agency needs to ensure that the CSI components have a consistent\nmethod for identifying components subject to review and then maintain a management\ntracking system to assess their overall progress. Finally, SSA needs to ensure the PSC\nOSCAR guide addresses known areas of risk, such as the need to safeguard laptop\ncomputers and/or the PII contained therein.\n\nRECOMMENDATIONS\nTo improve the OSCAR process and increase its effectiveness, we recommend SSA:\n\n1. Develop a consistent national policy on which PSC components are included in the\n   OSCAR process and ensure any changes from this policy are approved by DFI\n   management.\n\n2. Review all PSC components at least once during a 5-year cycle.\n\n3. Establish a minimum number or percent of PSC component reviews that must be\n   conducted annually within each region, similar to the 10-percent rule used by other\n   SSA offices conducting OSCARs.\n\n4. Ensure the ODO and OIO PSCs are reviewed timely under the PSC OSCAR\n   process.\n\n5. Require that the CSI offices obtain and maintain validation reports in a timely\n   manner.\n\n6. Develop the Automated OSCAR for the PSCs so that CSIs can (a) automatically\n   track and monitor the OSCAR reports, corrective actions, and validation reports and\n   (b) accurately report to DFI the number of reviews conducted.\n\n7. Update the OSCAR guide, as needed, to include the protection of sensitive data,\n   especially to safeguard laptop computers and/or the PII contained within the laptop\n   computers taken outside of the PSCs.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix F.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                   11\n\x0c                                           Appendices\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                                                                     Appendix A\n\nAcronyms\n ARC-PCO           Assistant Regional Commissioner for Processing Center Operations\n CPS               Critical Payment System\n CSI               Center for Security and Integrity\n DFI               Division of Financial Integrity\n FPPS              Federal Personnel Payroll System\n FMFIA             Federal Managers\' Financial Integrity Act\n FY                Fiscal Year\n GLPSC             Great Lakes Program Service Center\n MCR               Management Control Review\n MAMPSC            Mid-America Program Service Center\n MATPSC            Mid-Atlantic Program Service Center\n MOS               Management Operations Support\n NEPSC             Northeastern Program Service Center\n OCO               Office of Central Operations\n ODO               Office of Disability Operations\n OIO               Office of International Operations\n OSCAR             On-site Security Control and Audit Review\n PAR               Performance and Accountability Report\n PII               Personally Identifiable Information\n PSC               Program Service Center\n SPS               Single Payment System\n SSA               Social Security Administration\n SEPSC             Southeastern Program Service Center\n WNPSC             Western Program Service Center\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                                                                              Appendix B\n\nScope and Methodology\nTo accomplish our objectives, we:\n\n\xe2\x80\xa2   Reviewed the Social Security Administration\xe2\x80\x99s (SSA) policies and procedures\n    pertaining to the Program Service Centers (PSC), including the criteria pertaining to\n    On-site Security Control and Audit Reviews (OSCAR) at PSCs. The PSC OSCAR\n    guide for Fiscal Year (FY) 2006 1 consists of 10 chapters, as shown below:\n\n       o   Third Party Draft Account;\n       o   Acquisitions;\n       o   Debt Management System;\n       o   Time and Attendance;\n       o   Security of Automated Systems;\n       o   Physical and Protective Security;\n       o   Enumeration;\n       o   Single Payment System and One Check Only Payments;\n       o   Integrity Review Areas; and\n       o   Management Controls.\n\n\xe2\x80\xa2   Reviewed prior Office of the Inspector General audit reports.\n\n\xe2\x80\xa2   Met with SSA staff to gain a better understanding of the OSCAR process as well as\n    other compensating controls.\n\n\xe2\x80\xa2   Gained an understanding of PSC components through interviews with PSC staff as\n    well as a review of PSC organizational charts and telephone directories.\n\n\xe2\x80\xa2   Obtained a listing of all PSC OSCARS performed at the PSCs during FYs 2002 to\n    2006 and reviews scheduled during FYs 2007 and 2008. For FYs 2005 to 2006\n    audit period, we:\n\n    o Collected and analyzed data related to the timeliness of issuing OSCAR reports\n      related to the PSC OSCARs performed.\n\n\n\n\n1\n Before 2006, the OSCAR guide had 13 chapters, the Integrity Review chapter was added, and\n4 chapters were deleted.\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                           B-1\n\x0c   o Selected the last OSCAR reports issued in FY 2006 for the six non-Headquarters\n     PSCs. If the PSC did not issue a report in FY 2006, we selected the first report\n     issued in FY 2007. The reports were selected for our visit to the six PSCs to\n     determine whether the OSCAR follow-up process was correctly followed and that\n     recommendations were implemented as required.\n\nWe found data used for this audit to be sufficiently reliable to meet our objectives. The\nentity audited was the Office of the Deputy Commissioner of Operations. We conducted\nour fieldwork from December 2006 through September 2007 in Philadelphia,\nPennsylvania; New York, New York; Richmond, California; Kansas City, Missouri;\nChicago, Illinois; Birmingham, Alabama; and Baltimore, Maryland. We conducted this\nperformance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                B-2\n\x0c                                                                             Appendix C\n\nFunctions and Description of the Program\nService Centers\nThe Program Service Centers (PSC) are six large and complex multi-mission stations,\nestablished as extensions of the national Headquarters. There are actually eight such\ncenters, collectively referred to as \xe2\x80\x9cprocessing centers.\xe2\x80\x9d The other two centers are\nlocated in the national Headquarters of the Social Security Administration (SSA) in\nBaltimore, Maryland. The Office of Disability Operations (ODO) in Baltimore performs\ngenerally the same type of work as a PSC and serves all persons less than 59 years of\nage claiming disability insurance or black lung benefits. The Office of International\nOperations (OIO) PSC serves all accounts in which one or more beneficiaries resides in\na foreign country. In addition, this PSC provides technical supervision to Foreign\nService posts for the taking and development of claims and the investigation of\nsubsequent actions affecting benefit payments.\n\nThe primary missions of the PSCs are to:\n1. Provide uniform, accurate, and prompt processing of Social Security claims and post-\n   adjudicative changes after beneficiaries have been entitled.\n2. Perform formal and informal reconsideration of determinations.\n3. Make determinations of overpayments and collects amounts due.\n4. Maintain document records, updates computer records and certifies payment and\n   collection transactions to the Department of the Treasury. 1\n\nAll 8 PSCs in our review consist of a total of 257 components. The 6 non-Headquarters\nPSCs consist of 185 components located in 6 regions nationwide. The 2 PSCs located\nin the national Headquarters, ODO and the OIO, consist of 58 components and\n14 components, respectively.\n\n\n\n\n1\n    SSA Program Operations Manual System OS 01201.001 \xee\xa0\xba\n                                                      Functions of the Program Service Centers.\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                                                                          Appendix D\n\nComparison of Program Service Center\nComponents Reviewed Under On-Site Security\nControl and Audit Reviews\nIn our review, we found that each Center for Security and Integrity (CSI) office had its\nown definition of the Program Service Center (PSC) components subject to review\nunder the On-site Security Control and Audit Review (OSCAR) process. In Table D-1,\nwe show a comparison of the components reviewed using the OSCAR guide in the\nMid-Atlantic PSC and the Southeastern PSC. We found that the Mid-Atlantic PSC CSI\nstaff reviewed 18 of its 31 components, whereas CSI staff at the Southeastern PSC\nreviewed all 29 components in the PSC.\n\n                              Table D-1: PSC Components\n                                Reviewed Using OSCAR\n\n            Types of Program Service Center Component          MATPSC     SEPSC\n      Modules                                                    Yes       Yes\n      Immediate Claims Taking Unit                               Yes       Yes\n      Inquiry and Expediting                                     Yes       Yes\n      Process Division Office                                    No        Yes\n      Processing Center Operations                               No        Yes\n      Disability Process Branch                                  No        Yes\n      Operations Analysis Section                                No        Yes\n      Mail & Direct Input                                        No        Yes\n      Computer Operations Section & Unit                         No        Yes\n      Debt Management Section, Contact Unit, Remittance &\n      Accounting & Debt Specialist Unit                              No    Yes\n      Operations Support Branch                                      No    Yes\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                                                                                     Appendix E\n\nRecommendations Not Implemented\nWe conducted reviews in the six non-headquarters Program Service Centers (PSC) to\ndetermine whether the recommendations from the On-site Security Control and Audit\nReviews (OSCAR) had been implemented timely and whether appropriate actions were\ntaken. We selected the last OSCAR reports issued in Fiscal Year (FY) 2006 for all of\nthe six PSCs in our review except the Northeastern PSC, which did not issue a report in\nFY 2006. In this case, we selected the first report issued in FY 2007. We found that, of\n98 recommendations made by the Centers for Security and Integrity, 8\nrecommendations were not implemented. Table E-1 gives a summary of the\nrecommendations.\n\n                       Table E-1: Recommendations not Implemented\n         PSC                Chapter                             Recommendation\n                                            Authorizers must ensure Numident changes meet\n    Northeastern PSC      Enumeration\n                                            requirements.\n                                            Remind authorizers to follow Agency procedures for\n                                            determining eligibility for death underpayments and dividing\n                        Single Payment\n                                            these payments according to relationship to the deceased\n                         System (SPS)\n                                            beneficiary. Remind authorizers to code the Social Security\n                                                                                                      1\n                                            numbers of death underpayment payees per instructions.\n                            Time and        Action should be taken to ensure that the timekeeper\n    Mid-Atlantic PSC\n                           Attendance       completes all items on the pre-approval register.\n                                            Integrity reviews should have the correct remarks\n                            Integrity\n                                            documented on the certification screen per instructions.\n                                            Refresher training is provided to the PSC Spikers on handling\n                          Enumeration\n                                            calls involving the enumeration process.\n                          Management        Management should ensure that the Critical Payment System\n    Great Lakes PSC                                 2\n                           Controls         (CPS) records on the monthly reports are properly adjusted.\n                                            Management should ensure that SPS cases are processed\n                                            timely to avoid possible tampering with payment addresses or\n                                            duplicate payments.\n                                            The timekeeper should reconcile the Mainframe Time and\n                            Time and\n      Western PSC                           Attendance System to the information posted to the Federal\n                           Attendance                                    3\n                                            Personnel Payroll System (FPPS) record.\n\n\n\n\n1\n Although the manager sent a reminder to all authorizers to follow the Agency procedures concerning\ndeath underpayments, we found the finding still existed at the time of the follow-up review.\n\n2\n CPS pays retroactive Title II benefits in critical cases and special situations when Master Beneficiary\nRecord payments are either not being made or being made while additional benefits are due.\n\n3\n FPPS is an on-line, integrated personnel/payroll system used for the processing of all personnel and\npay-related functions.\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                                                                     Appendix F\n\nAgency Comments\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:       April 1, 2008                                                        Refer To:   S1J-3\n\nTo:         Patrick P. O\'Carroll, Jr.\n            Inspector General\n\nFrom:       David Foster /s/\n            Chief of Staff\n\nSubject:    Office of the Inspector General (OIG) Draft Report, "On-site Security Control and audit\n            Reviews at Program Service Centers\xe2\x80\x9d (A-03-07-17064)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments regarding the draft report\n           and response to the recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n           On-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                          F-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S DRAFT REPORT,\n\xe2\x80\x9cON-SITE SECURITY CONTROL AND AUDIT REVIEWS AT PROGRAM SERVICE\nCENTERS\xe2\x80\x9d (A-03-07-17064)\n\nThank you for the opportunity to review and provide comments on this draft report.\n\nRecommendation 1\n\nDevelop a consistent national policy on which Program Service Center (PSC) components are\nincluded in the On-Site Security Control and Audit Review (OSCAR) process and ensure any\nchanges from this policy are approved by Division of Financial Integrity (DFI) management.\n\nComment\n\nWe agree. The Division of Systems Security and Program Integrity is working closely with the\nDFI to develop a consistent national policy, ensuring that any deviations from the policy are\napproved by DFI management. We plan to have the policy decisions completed by\nJune 30, 2008.\n\nRecommendation 2\n\nReview all PSC components at least once during a 5-year cycle.\n\nComment\n\nWe agree. We are considering the 5-year cycle as an option as we develop our National policy\n(see our response to recommendation 1). We plan to have the policy decisions completed by\nJune 30, 2008.\n\nRecommendation 3\n\nEstablish a minimum number or percent of PSC component reviews that must be conducted\nannually within each region, similar to the 10 percent rule used by other SSA offices conducting\nOSCARs.\n\nComment\n\nWe agree. We are considering the 10 percent rule as an option as we develop our National\npolicy (see our response to recommendation 1). We plan to have the policy decisions completed\nby June 30, 2008.\n\nRecommendation 4\n\nEnsure the Office of Disability Operations (ODO) and the Office of International Operations\n(OIO) PSC\xe2\x80\x99s are reviewed timely under the PSC OSCAR process.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                        F-2\n\x0cComment\n\nWe agree. In December 2007, we established the OSCAR project plan for ODO and OIO PSCs.\nThey are both now subject to timely reviews under the PSC OSCAR process. The 5-year plan\nstarted in January 2008, and will be completed in August 2012. The plan includes a review of\neach Office of Central Operations component within that timeframe.\n\nRecommendation 5\n\nRequire that the Center for Security and Integrity (CSI) offices obtain and maintain validation\nreports in a timely manner.\n\nComment\n\nWe agree. Our ability to monitor for compliance will be enhanced by the automation of the PSC\nOSCAR (see our response to recommendation 6). A reminder will be issued in April 2008 to all\nof our CSIs informing them that they are to ensure that they obtain and maintain validation\nreports in a timely manner.\n\nRecommendation 6\n\nDevelop the Automated OSCAR for the PSCs so that CSIs can: a) automatically track and\nmonitor the OSCAR reports, corrective actions, and validation reports; and b) accurately report\nto DFI the number of reviews conducted.\n\nComment\n\nWe agree. We are in the process of enhancing our current field office website of Automated\nOSCARs to include the PSC OSCAR process. Our target date for completion of the\nenhancements is early fiscal year 2009. Once the enhancements are complete, we will be able to\nautomatically track and monitor the OSCAR reports, corrective actions, and validation reports.\nWe will also be able to provide accurate and timely data to DFI regarding the number of reviews\nconducted.\n\nRecommendation 7\n\nUpdate the OSCAR guide, as needed, to include the protection of sensitive data, especially to\nsafeguard laptop computers and/or the Personally Identifiable Information (PII) contained within\nthe laptop computers taken outside of the PSCs.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                         F-3\n\x0cComment\n\nWe agree. Currently, we update the guide on a monthly basis to ensure it is in alignment with\nthe current security policies and procedures. While the current version of the PSC OSCAR guide\ndoes contain questions related to the protection of sensitive data, including properly securing\nlaptops in the office when not in use, it does not contain a question regarding the protection of\nPII contained within laptop computers taken outside of the PSCs. We will add this type of\nquestion to the PSC OSCAR guide by May 2008.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)                        F-4\n\x0c                                                                     Appendix G\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Cylinda McCloud-Keal, Director, Philadelphia Audit Division, (215) 597-0572\n\nAcknowledgments\nIn addition to those named above:\n\n   Mary Dougherty, Auditor-in-Charge\n\n   Richard Devers, Information Technology Specialist\n\n   Elizabeth Juarez, Senior Auditor\n\n   Timothy Meinholz, Senior Auditor\n\n   Denise Molloy, Senior Analyst\n\n   Karis Crane, Auditor\n\n   Hollie Reeves, Auditor\n\n   Nichole Purnell, Program Analyst\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-03-07-17064.\n\n\n\n\nOn-site Security Control and Audit Reviews at PSCs (A-03-07-17064)\n\x0c                           DISTRIBUTION SCHEDULE\n\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'